Secure your unRAID SSH Access and Tunnel using PuTTY


Recommended Posts

I've seen bits of this covered in other posts but haven't found one PuTTY specific. (Or maye I should get my eyes checked).

Never the less there are many reasons you want to use a Key Pair to access your unRAID server via SSH compared to using just a username and password.

 

This is especially true if you'd like to access your server via the internet. Another benefit to doing this is the use of Tunnels. Using SSH you can tunnel into just about anything. Take this example below.

 

image.png.bc53934d103361c45dd192d77f62bd74.png

 

If you wanted to Access unRAID via SSH, the Windows Desktop, or any of your containers you would need to go into your router and forward all their ports, for each of the services you wanted to access.

 

So not only will SSH give you get secure access to your unRAID server, but you will also be able to tunnel into any of the containers on your unRAID box, or any machine on your home network for that matter. All traffic sent over this connection will also be encrypted given you another layer of security! Be warned, that leaving port 22 opened on your router without disabling password authentication is not a good idea. Many hackers scan WAN IP addresses and if they find famously opened ports they will continuously try accessing SSH via root and a bunch of different passwords.

 

First things first you will need to Forward Port 22 on your router to your unRAID server. All this does is, if you would like to access your unRAID box over the internet. You will send a request to your Router's WAN IP Address or Dynamic DNS address (Out of scope of this article but covered here). When the SSH Request hits your router, your router will forward that request onto your unRAID server. 

 

1. Get DocGyver's SSH Config Tool

This will make starting and stopping the SSH Daemon as well as tweaking your SSH Settings a breeze. When you're ready head over to Community Apps and search for "SSH Config Tool". Once installed you can Access the Config Tool under Settings > Network Services > SSH

image.png.35f3fcb3a61b9273fc19a32f26764906.png

 

2. Get PuTTYGen and Generate your Keys

A key pair is made up of a Private Key and a Public Key. The public key pretty much be given to anyone as its well, public. However make sure that your private key is safe and do not distribute it. 

 

image.png.f2890bcdd6beec5828c58cc63f528f67.png

 

This is admittedly an over simplification, but basically your Public Key will be put onto your unRAID box and the Private Key will be kept on your machine. When you try to access your server over SSH, your Server will match the Public Key against the Private Key. If it's a match it will let you in. If you need to access more than one server, all you need to do is put your Public Key on said server and you can use the same Machine / Private Key to access it. 

 

image.png.b57f2c28b751918a34fba690acfdad61.png

 

After you Donwload PuTTY and PuTTYGen 

  1. launch PuTTYGen and click on Generate.
  2. You will be requested to move your mouse cursor over the window to generate some randomness
  3. Enter a Key Passphrase and Confirm Passphrase (This protects your Private Key in case someone gets their hands on it)
  4. Click Save Private Key, and choose a destination (Name it id_rsa.ppk for extra points)
  5. [optional] Click Save Public Key, and choose a destination (Name it id_rsa.pub for extra points) 

 

Here's where the first problem comes in. For some reason PuTTY doesn't save the Public Key in the correct format so just taking it from the saved file and putting it on the server won't work. Leave this window open for now we'll come back to it.

 

3. Put your Public Key onto unRAID and Persist it

SSH into your unRAID box using PuTTY as normal and type the following:

 nano /root/.ssh/authorized_keys

Now go back to your PuTTYGen window and select all the text in the Public key for pasting into Open SSH authorized_keys file Section. 

 

  1. Press Ctrl + C to copy the key to your clipboard
  2. Go back to your PuTTY window and right click into the window (this will paste the key into the correct file which is in the Nano editor)
  3. Press Ctrl +X to exit
  4. Press Y to save the file

 

Give the file and directory the correct permissions by typing:

chmod 600 /root/.ssh/authorized_keys
chmod 700 /root/.ssh

If you have more than one machine that you'd like to grant access you can put their Public Keys in the same file. However, Make sure each one is on the next line! One problem here is that on reboot this file will be lost so we must persist it!

 

To do that let's first copy the authorized key file somewhere where it can be retrieved.

cp /root/.ssh/authorized_keys /boot/config/ssh/

Now open your Go file (which runs on boot by typing)

nano /boot/config/go

This file runs whenever your unRAID server boots up after we make these changes it will ensure that your authorized_keys file is restored even after you restart your server. Paste the following in the end of the file

mkdir /root/.ssh
chmod 700 /root/.ssh
cp /boot/config/ssh/authorized_keys /root/.ssh/
chmod 600 /root/.ssh/authorized_keys

 

4. Turn off SSH Password Authentication 

Open your unRAID UI and head over to the SSH Config Tool we downloaded above. If you need to make a change you must first Set Enable SSH Service to No. Once disabled make the following changes:

Password Authentication = No

Click Apply and Re-Enable your SSH Service.

 

image.png.864feb47fae560b593732847ea372ba4.png

 

If you try to access your unRAID server using username and password now your unRAID server should refuse. Good! Let's fix that.

 

5. Add your Private Key to PuTTY.

Open PuTTY, type your Host Name, choose a Save Sessions name and click save. A seved session will ensure that we don't have to keep typing your IP Address, as well as save the location of your private key file. 

  1. In the tree on the left navigate to Connection > SSH > Auth. 
  2. Click on Browse and find the Private Key file we generated earlier.
  3. In the tree on the left navigate to Session
  4. Click Save

 

image.png.3b88747c46314015265016913d6d9aac.png

 

And that's pretty much it.

  1. Now try to login via SSH.
  2. unRAID will ask you which user you'd like to login as, you should type root. 
  3. unRAID will ask you for the passphrase for your Private Key File (which we created earlier)
  4. It will let you in!

image.png.18b1436cfb27a63d1a8a09f15d161c52.png

 

6. Tunnel like a champ

So you've accessed your unRAID box via the internet. And you'd like to access the web UI on one of your containers. Or maybe you'd like to access another device on your network. Well using a simple Tunnel, you can do just that. In our example diagram above we see we have a Resilio Sync Docker Container with the WebUI port of 8888. 

 

To Create a Tunnel to that container and access its UI via the internet:

  1. Open PuTTY and Load your Session that we saved above.
  2. Navigate to Connection > SSH > Tunnels
  3. Choose an arbitrary Source Port (I like to start at 50001 to avoid conflict)
  4. Choose a destination (in our case IP_ADDRESS_OF_UNRAID:PORT)
  5. In the tree on the left navigate to Session
  6. Click Save

 

At this point you may have to close your SSH Session and reopen it again. Once that's done, open your favourite browser (Which should be anything other than Edge or Internet Explorer) and in the web address type:

http://127.0.0.1:50001

What's basically happening here is that we're sending a request to our Local machine, on por 50001. Which is the port we have open for our SSH Tunnel. PuTTY then redirects that request via the SSH connection to the destination we specified above which is our Resilio Sync Docker Container. And just like that. You've got yourself a Tunnel. No fancy port forwarding needed. Nice and secure over an encrypted line. Give yourself a cookie.

 

image.png.c5cb0b17f04cd8ce873d6bbaabcef436.png

 

So give it a shot. Many companies use this approach to accessing services in their network and is sometimes referred to as a Bastion Host or Jump Box. I've covered it a little more in depth on one my articles here.

 

Thanks to everyone on this post for all the guidance in getting this setup. Happy Secure Shelling!

 

 

  • Like 3
  • Thanks 2
Link to comment

Thanks for the detailed walkthrough! I see that you're using the SSH Config tool, I noticed I can disable root login and use my same user setup for accessing shares with this plugin. It activates and adds the user to sudo (not so without the plugin) so I can escalate into root as necessary. I forget if I had to manually edit the sudoers file or create one but needless to say I prefer not having a root user to even be able to login on the system.

Link to comment

I do something similar, but to tunnel I setup a dynamic port. Connection -> SSH -> Tunnels -> Source port: 8080 and change Local to Dynamic -> Add.

 

Then I create a shortcut to Chrome with 

"C:\path\to\chrome.exe" --proxy-server="socks5://127.0.0.1:8080" --proxy-bypass-list="localhost;127.0.0.1" 

and now everything I do in that browser window acts like it's on my network.  I can access https://tower and can just click the docker and hit Webui and it loads like normal.

  • Like 1
Link to comment
  • 5 months later...

So I had this going, but it seems the Go file didn't work as intended upon restart.

When I restart the server I get the error

mkdir: cannon create directory '/root/.ssh' : File exists

chmod: cannot access '/root/.ssh/authorized_keys' $'/357/273/277/...../277' : No such file or directory

 

I start up Putty and get the server refused our key error, so I go back in with the password. 

I nano back in to /root/.ssh/authorized_keys and it seems the key is there.. but I can no longer change permissions.

I get the no such file or directory exists when trying both /root/.ssh and /root/.ssh/authorized_keys

 

No idea what's happening.

 

Edit - Fixed it! Copying and pasting was causing random errors.. manually typed everything in and it's all working now!.

Edited by Partial
Link to comment
  • 4 months later...
  • 2 months later...

Can someone tell me why I cant install this on a fresh 6.8.2 server?

Quote

 

Link to comment
  • 4 months later...
  • 6 months later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.